Android 来自服务器的 API 调用需要 appsecret_proof 参数
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22359611/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
API calls from the server require an appsecret_proof argument
提问by dwbrito
I can't make API requests with the Android Facebook SDK, or even get the user from the login callback - it always returns null.
我无法使用 Android Facebook SDK 发出 API 请求,甚至无法从登录回调中获取用户 - 它始终返回 null。
Particularly, with the newMeRequest, I get the following error message:
特别是,使用 newMeRequest,我收到以下错误消息:
{ "error": {
"message": "API calls from the server require an appsecret_proof argument",
"type": "GraphMethodException",
"code": 100 } }
Actually, it seems pretty obvious, because the flag is set to true in the Facebook app options. However, I know it is possible, for the mobile sdks, to make API requests without the secret. However, if I try to use the access token from the currentSessionin the Facebook Graph API Debugger, the response will be the same as above.
实际上,这似乎很明显,因为该标志在 Facebook 应用程序选项中设置为 true。但是,我知道对于移动 sdks,可以在没有秘密的情况下发出 API 请求。但是,如果我尝试使用currentSessionFacebook Graph API Debugger 中的访问令牌,响应将与上述相同。
I don't know if this is related to the new Android Facebook SDK, but my code is basically the same as in the examples. The login goes nicely and I get the session token but I can't make any API requests...
我不知道这是否与新的 Android Facebook SDK 相关,但我的代码与示例中的代码基本相同。登录进行得很顺利,我得到了会话令牌,但我无法发出任何 API 请求......
loginButton.setUserInfoChangedCallback(new LoginButton.UserInfoChangedCallback() {
@Override
public void onUserInfoFetched(GraphUser user) {
graphUser = user;
}
});
Request.newMeRequest(currentSession, new Request.GraphUserCallback() {
@Override
public void onCompleted(GraphUser user, Response response) {
}
}
}).executeAsync();
回答by dwbrito
The only way that I was able to put it working, was by settings to Nothe App Secret proof for API callsin the advanced settings of the facebook App.
我是能够把它的工作的唯一办法,是通过设置No在App Secret proof for API calls在Facebook的应用程序的高级设置。
However, this is a fix, not a solve, since I wasn't able to do the request in the option set to Yes(as is possible in the iOS facebook sdk).
但是,这是一个修复,而不是一个解决方案,因为我无法在设置为的选项中执行请求Yes(在 iOS facebook sdk 中是可能的)。
回答by lnx
you need to add a parameter "appsecret_proof" to your request containg a 'sha256' hash of accessToken and appSecret
您需要在包含 accessToken 和 appSecret 的“sha256”散列的请求中添加一个参数“appsecret_proof”
https://developers.facebook.com/docs/graph-api/securing-requests
https://developers.facebook.com/docs/graph-api/securing-requests
回答by Donal
You need to disable Require App Secretin facebook app advance settings.
您需要Require App Secret在 facebook 应用程序提前设置中禁用。
回答by turdus-merula
While not an actual answer to your question (since it doesn't involve the Android SDK), it seems that, as of March 2018, there still are some issues regarding the appsecret_proofand calls from web page (Javascript) / and possibly mobile (not sure about that) clients.
虽然不是您问题的实际答案(因为它不涉及 Android SDK),但截至 2018 年 3 月,似乎仍然存在一些关于appsecret_proof和网页调用(Javascript)/可能还有移动(不确定)客户。
Facebook bug report (February 2018) - issue reappeared
Facebook 错误报告(2018 年 2 月) - 问题再次出现
Facebook bug report (October 2016)
Facebook bug report (February 2015)
That is, for an application with Require App Secretenabled App Dashboard > Settings > Advanced > Security > Require App Secret, it seems that one cannot perform API calls from Javascript without passing the appsecret_proof- at the moment of writing (March 2018).
也就是说,对于启用了Require App Secret的应用程序,在撰写本文时(2018 年 3 月)App Dashboard > Settings > Advanced > Security > Require App Secret,似乎无法在不传递appsecret_proof- 的情况下从 Javascript 执行 API 调用。
Quick "fix" - disable the flag. Depending on the requirements, one may also choose to have two Facebook applications: one for web page / mobile calls (flag disabled), and one for server side calls (flag enabled).
快速“修复” - 禁用标志。根据需求,还可以选择拥有两个 Facebook 应用程序:一个用于网页/移动呼叫(禁用标志),另一个用于服务器端呼叫(启用标志)。
